There are concept of hashed mirrors to backup sources preventing link rot:
It is not bot-maintained, so many of the sources are already 404 and not backed up to
The most affected are releases which just ended of life (
20.03 currently), they are not only stopped receiving security updates, they almost immediately became broken because of link rot of source files which have not been backed up to
It might be challenging to create a bot parsing all
fetchFromGitHub (the urls and hashes are often computed), but probably
OfBorg could assure that everything they download is backed up on the hashed mirrors? That would also reduce the load on upstream websites and tolerate their downtimes.
Introducing something similar for private hashed mirrors would be a great addition too.